This privacy policy was last updated on 24 June 2024.
Privacy Policy regarding Zaver’s services - convenience translation.
1. General.
This privacy policy applies between you as a customer or registered user and Frink AB (sometimes referred to as “Zaver” or “we”) in matters concerning the protection and processing of your personal data.
Zaver is the data controller in accordance with the EU Data Protection Regulation (the “GDPR”). This privacy policy describes how Zaver, as a personal data controller, collects, saves, processes, shares and transfers your personal data when you visit Zaver’s website (zaver.com) or use Zaver’s services.
It is important to us that you feel safe when you pay with Zaver or use any of Zaver’s other services. Therefore, we are providing information about how we use your personal data in this privacy policy. We recommend that you read this document carefully before using our services and contact us if you have any questions.
Frink AB, with address Sveavägen 59, 113 59, Stockholm, Sweden, is registered with the Swedish Companies Registration Office under company number 559059-8420. You may contact us by phone at +46 8 551 062 60, by email to [email protected] or by message through Zaver’s app. Zaver has a data protection officer and an internal team that handles data protection issues. You can reach them by email to [email protected].
This policy also contains information about our processing of personal data of representatives and other individuals related to merchants as well as applicants applying for vacancies, please see clause 11-12 of this policy.
2. Your data protection rights
Right to be informed.
You have the right to be informed of how we process your personal data. We inform you through this privacy policy and by answering your questions.
The right to access
You have the right to request information from us at any time and free of charge as to whether or not we process personal data relating to you. Your right includes access to the following information:
- information about the purposes of the processing;
- the categories of the personal data concerned;
- the recipients or categories of recipients to whom the personal data has been or will be disclosed
- to the extent possible, the envisaged period for which the personal data will be stored; or, if this is not possible, the criteria used to determine that period (e.g. statutory retention periods);
- your right to request rectification or deletion of your personal data or the restriction of processing personal data concerning you or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- when the personal data are not collected from you, information as to their source;
- You are also entitled to information as to whether your personal data is the subject of an automated individual decision within the meaning of Art. 22 GDPR (so-called "profiling"), and if this is the case, which decision criteria form the basis of such an automated individual decision (logic) or which effects and scope the automated individual decision may have for you.
- If personal data is transferred to a third country outside the scope of the GDPR, you are entitled to information as to whether, and, if so, on the basis of which guarantees, an appropriate level of protection within the meaning of Art. 45, 46 GDPR is ensured at the data recipient in the third country.
- access to information on whether personal data has been transferred to a third country or to an international organisation. If this is the case, you also have the right to obtain information on the appropriate guarantees linked to the transmission.
We have included the above information in this privacy policy, please contact us if you have any questions or would like further information about how we process your data.
The right to rectification
You have the right to request that Zaver corrects any information you believe is inaccurate. You also have the right to request that Zaver completes information that you believe is incomplete. This also means that the individual has the right to add such personal data that is missing and that is relevant taking into account the purpose of the personal data processing. If data is rectified at your request, we are also obliged to inform those to whom we have provided data that data has been rectified. This does not however apply if it should prove to be impossible or would involve excessive effort. You also have the right to request to be given information about to whom data has been provided.
The right to data portability
You have the right to request a copy of the personal data relating to you that Zaver holds for the performance of a contract with you, or based on your consent, in a machine-readable format. This will allow you to use it somewhere else, for example to transfer your personal data to another controller/ recipient, or directly to you, under certain conditions. The first copy is provided free of charge.
The right to erasure (“Right to be forgotten”)
You have the right to request that Zaver erases your personal data where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- you withdraw your consent on which the processing is based according to point (a) of article 6(1), or point (a) of article 9(2) GDPR, and where there is no other legal ground for the processing;
- you object to the processing pursuant to article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to article 21(2) GDPR;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; or
- the personal data have been collected in relation to the offer of information society services referred to in article 8(1) GDPR.
It is however important to know that the right to have your information erased is not absolute. There are situations where we are not able or allowed to delete your data, for example, when the data is still necessary to process for the purpose for which the data was collected, our interest to process the data overrides your interest in having them deleted, or because we have a legal obligation to keep it, these obligations prevent us from immediately erasing certain information.
The right to oppose the processing of your personal data or to object to our processing
You have a right to object when personal data is processed based on our legitimate interest (article 6(1)(f) GDPR).
If you object to the processing in such cases, we may continue to process the data only if it can be demonstrated that there are compelling legitimate reasons for the data needing to be processed that override the individual's interests, rights and freedoms or if the processing is carried out for the establishment, exercise or defence of legal claims.
The right to withdraw your consent
In the cases where Zaver processes your personal data based on your consent, you have the right to revoke your consent at any time. This means that we will stop the processing, but it does not affect the processing that we have already performed.
The right to restrict processing
You have the right to request that Zaver restricts the processing of your personal data, under certain conditions. If you believe that the data is inaccurate, that our processing is unlawful or that we do not need the information for a specific purpose, you may request that we restrict the processing of your personal data. You may also request a restriction while you are waiting for our assessment to see if our interest in processing your data outweighs your right not to have this data processed. When the limitation ceases to apply, you shall be informed.
The right to object to an automated decision that significantly affects you
You have the right to object to an automated decision made by Zaver if this decision entails legal consequences or constitutes a decision that affects you significantly in a similar way. If you object against an automated decision, the decision will be reviewed by a person to ensure that it is correct, taking into account any additional information that you provide to us.
The right to refuse processing for direct marketing purposes
You have the right to object to the processing of your personal data for direct marketing purposes. Contact Zaver in the Zaver-app or by email to [email protected] and we will help you with your request.
3. What kind of personal data we collect and where it comes from
In this section we describe what categories of personal data that we collect and from where we collect the information (source).
Contact and identity data – Name, date of birth, social security number, address, mobile phone number, email address., title, occupation, gender, billing and delivery address, nationality, income data, employment and employment history, photos of your ID card etc. may be collected and processed. Please note that social security numbers are not collected from individuals that do not have a Swedish social security number or individuals resident outside Sweden.
The information is collected from you and, to verify the information, from third parties. The companies we work with are listed in section 7 of this policy.
Information about your financial standing – Information about, for example, your income, any credits, paid taxes, negative payment history and previous credit approvals. Information from your other bank accounts and other types of accounts that you choose to connect to the service, as well as information such as account number, bank, transaction history from your connected accounts and balances and assets. We may also process information on source of funds and proof of funds.
The information is collected from credit information bureaus and you. See clause 7 of this policy. This process involves profiling and constitutes an automated decision, go to section 5 for further information.
Transaction history and information about your use of Zaver’s and Zaver’s partners’ services – Information about outstanding debt, historical debt and repayment history. Which service(s) you have used and how you have used them.
This information comes from us or our business partners (source). This process involves profiling and constitutes an automated decision, go to section 5 for further information.
Information about the purpose and nature of the transaction – Information about, for example, what type of item or service you have purchased and from where, online shopping cart information.
When you use Zaver’s services to send a payment request (to receive a payment) or accept a payment request (to pay), we may ask for information about the transaction in question. The information is collected from the merchant and/or from you as a user of Zaver’s service.
Payment information – Clearing and serial number for bank accounts, bank account number, the relevant bank’s name, time of the payment, ownership of bank account
Zaver collects the information from you and/or from a counterpart in a transaction.
Information about electronic identification and electronic signatures (applicable to Swedish citizens/residents only)– In addition to name and social security number, for example BankID-serial numbers.
If you are a Swedish citizen or resident, we will collect information about electronic identification and electronic signatures. The information is collected from Finansiell ID-Teknik AB (BankID) so that we can identify you.
Technical information about your use of Zaver’s services and device information – Technical data generated through your use of Zaver’s services such as whether or not sms and emails have reached you, response time for web pages, any errors that have occurred and the date and time when you used Zaver’s services. Device information includes information about your phone or computer such as IP address, language settings, browser settings, time zone, geographical position, operating system, platform, screen resolution, how fast the connection you use is and other similar information
When you use Zaver’s services, technical user data and device information is collected from your device and from us. This process may involve profiling, go to section 5 for further information.
Information about your contacts with Zaver’s customer service – Chat conversations, email correspondence and recorded phone calls.
This information is collected from you when you contact our customer service.
Information concerning PEP-status and sanctions – Lists of persons constituting politically exposed persons (“PEP”) and sanction lists include information such as name, date of birth, social security number (if applicable), place of birth, occupation or position, and the reason why the person is on the list in question.
Zaver collects information from you and from third parties to investigate whether you have a politically exposed position or are related to such a person (PEP/RCA-status). Furthermore, reconciliation with sanction lists is performed. This process involves profiling and constitutes an automated decision, go to section 5 for further information.
Sensitive personal data and criminal offences – Sensitive data is data that reveals political views, religious beliefs, health or information about criminal offences.
The information is collected from you or from third parties that provide PEP- and sanction lists, as sensitive personal data and data about criminal offences can appear in PEP- and sanction lists. Information collected through the categories Transaction history and information about your use of Zaver’s and Zaver’s partners’ services and Information about your financial standing, such as transaction history from your connected accounts may also include sensitive personal data.
4. Purposes and legal basis of processing
- Contact and identification data.
- Information about electronic identification and electronic signatures (applicable in Sweden only).
- Legal obligation (article 6(1)(c) GDPR), to establish your identity pursuant to the Swedish Law (2017:630) on measures against money laundering and terrorist financing.
- To execute and perform Zaver’s agreement, or if applicable the merchant's/Zaver’s cooperation partner's agreement with you (article 6(1)(b) GDPR).
- Information about your financial standing.
- Transaction history and information about your use of Zaver’s and Zaver’s partners’ services.
- To execute and perform Zaver’s agreement, or if applicable the merchant's/Zaver’s cooperation partner's agreement with you (article 6(1)(b) GDPR).
- Legal obligation (article 6(1)(c) GDPR) pursuant to section 12 of the Swedish Consumer Credit Act, section 505a of the German Civil Code or corresponding legislation in the relevant jurisdiction).
- Legitimate interest. The processing is also based on a balancing of interests (article 6(1)(f) GDPR). When balancing interests, Zaver has concluded that we have a legitimate interest in performing credit risk assessments in order to mitigate Zaver’s credit risk exposure and reduce credit losses. We ensure that the processing this entails is necessary to achieve the purpose in question, and that our interest outweighs your right not to have your data processed for this purpose. You may contact us for more information about the balancing test and our conclusion.
Zaver monitors transactions, conducts risk assessments and creates risk models to prevent Zaver's services from being used in connection with money laundering, terrorist financing, fraud or other criminal activity.
- All categories of data may be processed for this purpose.
- To execute and perform Zaver’s agreement, or if applicable the merchant's / Zaver’s cooperation partner's agreement with you (article 6(1)(b) GDPR).
- Legal obligation (article 6(1)(c) GDPR), to establish the identity of our customers, perform risk assessments and monitor transactions pursuant to the Swedish Law (2017:630) on measures against money laundering and terrorist financing and applicable sanctions laws.
- Legitimate interest. The processing may also be based on a balancing of interests (article 6(1)(f) GDPR). When balancing interests, Zaver has concluded that we have a legitimate interest in performing risk assessments and creating risk models in order to prevent Zaver's services from being used in connection with criminal activity. We ensure that the processing this entails is necessary to achieve the purpose in question, and that our interest outweighs your right not to have your data processed for this purpose. You may contact us for more information about the balancing test and our conclusion.
- If we process sensitive personal data, the legal basis for our processing is that you have given your consent (article 6(1)(a) or 9(2) (a) GDPR) or that the processing is necessary in order to comply with the Swedish Law (2017:630) on measures against money laundering and terrorist financing and/or the sanctions laws.
- Payment information.
- Information indicating the purpose and nature of the transaction.
- To execute and perform Zaver’s agreement, or if applicable the merchant's/Zaver’s cooperation partner's agreement with you (article 6(1)(b) GDPR).
- Legitimate interest. The processing is based on a balancing of interests (article 6(1)(f) GDPR). When balancing interests, Zaver has concluded that we have a legitimate interest in being able to carry out our business and complete the relevant payment transaction, that the processing is necessary to realise that purpose, and that our interest outweighs your right not to have your data processed for this purpose. You may contact us for more information about the balancing test and our conclusion.
- Contact and identification data.
- Technical information about your use of Zaver’s services and device information.
- Legitimate interest. The processing is based on a balancing of interests (article 6(1)(f) GDPR). When balancing interests, Zaver has concluded that we have a legitimate interest in being able to ensure network and information security, that the processing is necessary to realise that purpose, and that our interest outweighs your right not to have your data processed for this purpose. It is also in your interest as a customer that we ensure a high level of network and information security. You may contact us for more information about the balancing test and our conclusion.
Your consent (article 6(1) (a) GDPR). The data Zaver processes for the purpose of maintaining a high level of security and safety can also be used in combination with other data collected through your consent (through cookies), in the form of aggregated information about the user, such as IP address.
- Contact and identification information.
- Information about your financial standing.
- Information indicating the purpose and nature of the transaction.
- Transaction history and information about your use of Zaver’s and Zaver’s partners’ services.
- Legitimate interest. The processing is based on a balancing of interests (article 6(1)(f) GDPR). When balancing interests, Zaver has concluded that we have a legitimate interest in being able to carry out analysis and produce statistics for the purpose of product development and continuously evaluate and improve our credit risk models and our products, that the processing is necessary to realise that purpose, and that our interest outweighs your right not to have your data processed for this purpose. You may contact us for more information about the balancing test and our conclusion.
- All categories of data may be processed. Zaver may collect additional information about you from other sources, including but not limited to, publicly available information on the internet, insofar that it is relevant to protect Zaver from legal claims and safeguard Zaver’s legal rights in an on-going dispute or other legal proceeding.
- To execute and perform Zaver’s agreement, or if applicable the merchant's/Zaver’s cooperation partner's agreement with you (article 6(1)(b) GDPR).
- Legitimate interest. The processing is based on a balancing of interests (article 6(1)(f) GDPR). When balancing interests, Zaver has concluded that we have a legitimate interest in being able to protect ourselves from legal claims, that the processing is necessary to realise that purpose, and that our interest outweighs your right not to have your data processed for this purpose. You may contact us for more information about the balancing test and our conclusion.
- If we process sensitive personal data, the legal basis for our processing is that you have given your consent (article 9(2) (a) GDPR) or that the processing is necessary in order to comply with the Swedish Law (2017:630) on measures against money laundering and terrorist financing and/or the sanctions laws. If we process data collected through cookies, the legal basis is also your consent.
- Contact and identity data.
- Information indicating the purpose and nature of the transaction.
- Transaction history and information about your use of Zaver’s and Zaver’s partners’ services.
- Technical information about your use of Zaver’s services and device information.
- Legitimate interest. The processing is based on a balancing of interests (article 6(1)(f) GDPR). When balancing interests, Zaver has concluded that we have a legitimate interest in providing you with offers and other marketing, as well as identifying what marketing we should provide to you, that the processing is necessary to realise that purpose, and that our interest outweighs your right not to have your data processed for this purpose. You may contact us for more information about the balancing test and our conclusion.
- Your consent (article 6(1) (a) GDPR). The data Zaver processes for the purpose of marketing can also be used in combination with other data collected through your consent (through cookies), in the form of aggregated information about the user, such as IP address, interests (where the user has clicked, etc.).
- Contact and identity data.
- Information about your financial standing.
- Information indicating the purpose and nature of the transaction.
- Transaction history and information about your use of Zaver’s and Zaver’s partners’ services.
- Legitimate interest. The processing is based on a balancing of interests (article 6(1)(f) GDPR). When balancing interests, Zaver has concluded that we have a legitimate interest in acquiring and selling outstanding credits as part of carrying out our business in a way that we find suitable, that the processing is necessary to realise that purpose, and that our interest outweighs your right not to have your data processed for this purpose. You may contact us for more information about the balancing test and our conclusion.
- Contact and identity data.
- Information about your financial standing.
- Information indicating the purpose and nature of the transaction.
- Transaction history and information about your use of Zaver’s and Zaver’s partners’ services.
- Legitimate interest. The processing is based on a balancing of interests (article 6(1)(f) GDPR). When balancing interests, Zaver has concluded that we have a legitimate interest in acquiring and selling overdue debts as part of carrying out our business in a way that we find suitable, that the processing is necessary to realise that purpose, and that our interest outweighs your right not to have your data processed for this purpose. You may contact us for more information about the balancing test and our conclusion.
- All categories of data may be processed.
- Varies depending on the recipient, see clause 6 of this policy.
- All categories of data may be processed.
- To execute and perform Zaver’s agreement, or if applicable the merchant's/Zaver’s cooperation partner's agreement with you (article 6(1)(b) GDPR).
- If sensitive personal data or information collected through cookies are processed, our processing of such data is based on your consent (article 9(2) (a) GDPR).
- Contact and identification data.
- Payment information.
- Information indicating the purpose and nature of the transaction.
- Information about your contacts with Zaver’s customer service.
- Transaction history and information about your use of Zaver’s and Zaver’s partners’ services.
- Legal obligation (article 6(1)(c) GDPR), pursuant to the Swedish Accounting Act (1999:1078) and other applicable law for payment institutions (including GDPR).
5. Automated decisions and profiling
Profiling means an automated processing of personal data to evaluate certain personal matters, for example, your financial situation, personal preference, behaviours or your place of residence.
Zaver’s and Zaver’s business partners’ decision on whether to offer one of the Zaver payment methods and determining the risk of fraud, money laundering and terrorism financing are based solely on automated decisions that includes profiling. Within the framework of the payment method and risk check, information from the externally used credit agencies (see clause 7), information from agencies that provide PEP and sanction lists, as well as information that we have about you is used. On the basis of mathematical-statistical methods (in particular methods of logistic regression or other statistical, partially automated optimisation models), a forecast is created, in particular about payment probabilities and, if applicable, risks of fraud and abuse, both through comparisons with groups of people who exhibited similar payment behaviour in the past and through historical analyses of fraud patterns (in particular through extrapolation to our target groups). Zaver’s and Zaver’s partners’ risk models include a large number of other factors such as internal credit risk appetite and the general risk assessment made of our respective business.
If you are not approved in regards to the automated decision making you will not have access to our services, such as our payment methods. Zaver has several security mechanisms to check that the decisions made are correct, which includes on-going overviews of our decision models, and random spot-checks in individual cases. You may contact Zaver if you disapprove of the outcome of the automated decision, and we will review your case.
In addition, profiling and automated decision making may be used by Zaver for market and customer analysis and marketing. You have the right to object to the processing of your personal data for direct marketing purposes, see clause 2.
6. Storage and third country transfer
Your personal data is stored and processed in electronic data management systems administered by Zaver. Zaver primarily processes your personal data within the EU/EEA. When we share your personal data, we ensure that the recipient processes it in accordance with this policy, e.g. by entering into data transfer agreements or data processor agreements with the recipients.
Zaver may transfer and process your personal data outside the EU/EEA. This is done only if the country to which the data is transferred or in which it is stored has an adequate level of data protection or if Zaver (or where applicable, our Data Processors ) has implemented appropriate safeguards, such as binding corporate rules or standard contract clauses.
7. Who we share your personal data with and where the information is transferred
Suppliers and subcontractors – Suppliers and subcontractors includes third parties that only have the right to process the personal data that Zaver transfers to these third parties on behalf of Zaver, i.e. so called data processors. Examples of such suppliers and subcontractors that Zaver uses are software and data storage providers, consultants (legal, risk and tech consultants). All categories of personal data may be shared with suppliers and subcontractors. Suppliers and subcontractors will only have access to your data to the extent and for the period necessary to provide the relevant service. We ensure that the suppliers and subcontractors process the data in accordance with this policy. Zaver has a legitimate interest in being able to access these services and functionality (article 6(1)(f) GDPR). We ensure that the processing this entails is necessary to pursue that interest, and that our interest outweighs your right not to have your information processed for this purpose.
We use Google Workspace for email communication, internal collaboration and storage and we use Amazon Web Services (AWS) for cloud services, including hosting of cloud-based IT systems. In doing so, access to their data from a third country cannot be ruled out, see clause 6 above.
Authorities – Zaver may provide necessary information to authorities such as the police, financial authorities, tax authorities or other authorities and courts of law. All categories of personal data may be shared to authorities. Personal data is shared with the authority when we are required by law to do so, or in some cases if you have asked us to do so, or if required to manage tax deductions or counter crime. Depending on the authority and purpose, the legal bases are the obligation to comply with the law (article 6(1)(c) GDPR), to fulfil the agreement with you (article 6(1)(b) GDPR), or Zaver’s legitimate interest in protecting itself from crime (article 6(1)(f) GDPR). When we transfer data based on our legitimate interest, we have concluded that the processing is necessary to pursue that interest, and that our interest outweighs your right not to have your information processed for this purpose.
Third parties in a transaction when you use Zaver’s services, for example, merchants and other users – Information such as Identity and Contact Information, Payment information and Information indicating the purpose and nature of the transaction may be shared with third parties who are involved in the processing of a transaction. This includes other users that you send or receive money from. If you have made a purchase from a merchant, we may provide the merchant from whom you made the purchase with the information it needs to properly fulfil and manage your order. This information is subject to the privacy policy of the relevant merchant. The legal basis for sharing your information with other parties in a transaction is either to fulfil an agreement with you (article 6(1)(b) GDPR) or based on Zaver’s legitimate interest to carry out its business (Article 6(1)(f) GDPR). All these third parties are located within the EES. When we transfer data based on our legitimate interest, we have concluded that the processing is necessary to pursue that interest, and that our interest outweighs your right not to have your information processed for this purpose.
Banks, payment service providers, financial institutions and account information service providers – Banks, payment service providers, financial institutions and account information service providers provide services to Zaver to implement and administer electronic payments through a variety of payment methods. Zaver may share information such as Identity and Contact Information, Payment information and Information indicating the purpose and nature of the transaction with these companies to enable the transaction that you are a party to. When you choose to pay with Swish (only available in Sweden), Zaver will share information about the transaction with Swedbank AB (publ). If you choose to pay through a payment method provided by an external payment service provider that is available through Zaver’s services (e.g. Trustly), Zaver may share all categories of personal data with these third party payment service providers. The transfer of data takes place to fulfil the agreement with the merchant and/or to fulfil the agreement with you (article 6(1)(b) GDPR). If you do not have an agreement with Zaver the sharing is based on Zaver’s legitimate interest (article 6(1)(f) GDPR) to carry out its business. When we transfer data based on our legitimate interest, we have concluded that the processing is necessary to pursue that interest, and that our interest outweighs your right not to have your information processed for this purpose. All these third parties are located within the EES.
Debt acquirers of open debts - Zaver may transfer your open debt to debt acquirers. Upon transfer of your debt to an acquirer and continuously until you pay off the debt, Zaver will share your Contact and Identification information, Information about your financial standing, Information about purpose and nature of the transaction as well as Transaction history and information about your use of Zaver’s and Zaver’s partners’ services. The buyer will process your personal data in accordance with its own privacy notice. The sharing of personal data with different acquirers is based on our legitimate interest in selling outstanding debts as part of our business operations (article 6(1)(f) GDPR). When we transfer data based on our legitimate interest, we have concluded that the processing is necessary to pursue that interest, and that our interest outweighs your right not to have your information processed for this purpose. All debt acquirers are located within the EES.
Debt collection companies– Zaver may share your information when we sell or outsource collection of unpaid overdue debts through a third party, such as a debt collection company. Zaver will share your Contact and Identification information, Information about your financial standing, Information about purpose and nature of the transaction as well as Transaction history and information about your use of Zaver’s and Zaver’s partners’ services. This data is shared based on our legitimate interest in collecting or selling debt (article 6(1)(f) GDPR). When we transfer data based on our legitimate interest, we have concluded that the processing is necessary to pursue that interest, and that our interest outweighs your right not to have your information processed for this purpose. Debt collection companies that we may transfer your data to include but are not limited to Arvato Finance AB (Sweden) and Paigo GmbH (Germany). Please note that if we transfer unpaid debt to debt collection agencies, such agencies may in turn share information about your late payments to a credit bureau, which may affect your credit rating.
Social media companies - If you contact us via social media such as Facebook, Linkedin or Instagram, your personal data will also be collected and processed by these companies, in accordance with their privacy notices, see clause 6 above regarding transfer of data to third countries. The sharing of information with social media companies is performed to fulfil the agreement with you (article 6(1)(b) GDPR), see clause 6 above regarding transfer of data to third countries.
A person who holds a power of attorney for you – Zaver may share your personal information with a person who has the right to access it under a power of attorney. This processing is carried out to facilitate your contact with us (through agents), and takes place based on your consent (article 6(1)(a) GDPR).
Companies that provide PEP/Sanction lists – We share your personal data with companies that provide PEP- and sanction lists to control whether or not you are a politically exposed person or a relative or close associate to such a person (PEP/RCA status). Furthermore these companies check if you are on a sanction list. Zaver shares your name, date of birth and, if applicable, your social security number with Trapets AB in order to obtain data from PEP and sanctions lists. Zaver shares your information to fulfil legal obligations (article 6(1)(c) GDPR), as the companies that provide PEP/sanction lists have information that Zaver needs to comply with sanctions and achieve customer knowledge in accordance with applicable laws relating to anti-money laundering and terrorist financing. The processing may also be based on Zaver’s legitimate interest (article 6(1)(f) GDPR) to assess the risk connected to a specific user in order to ensure that Zaver’s services are not used in connection with money laundering, terrorist financing or other crimes (e.g. if Zaver has no obligation to comply with applicable laws relating to anti-money laundering and terrorist financing). When we transfer data based on our legitimate interest, we have concluded that the processing is necessary to pursue that interest, and that our interest outweighs your right not to have your information processed for this purpose.
Credit information bureaus – If you apply to use Zavers payment services that involve credit being provided to you by us, the relevant merchant or by another third party (as applicable), we will share your personal data with credit information bureaus. Your personal information is shared with credit information bureaus in order to assess your creditworthiness in connection with your credit application, to confirm your identity and your contact information, and to protect us, the merchant or cooperation partners, users and customers from fraud. Zaver shares your information based on Zaver’s legitimate interest (Article 6(1)(f) GDPR), as the credit information bureaus have information about your financial standing which is important to ensure a correct credit and fraud assessment. When we transfer data based on our legitimate interest, we have concluded that the processing is necessary to pursue that interest, and that our interest outweighs your right not to have your information processed for this purpose. The credit information bureau processes your personal data in accordance with its own privacy notice.
In Sweden, we will send your social security number to the credit information bureau to obtain credit information about you. The credit bureau will inform you that Zaver or our cooperation partner has requested credit information. The credit information bureau processes your personal data in accordance with its own privacy notice. Further below you can see the bureaus we work with in Sweden.
In Germany, we will send the credit bureau your name, address, date of birth and phone number in order to receive information on you. Zaver shares your data for the purpose of a credit check, obtaining information to assess the risk of non-payment based on mathematical-statistical methods using address data and to verify your address (check for deliverability). Further below you can see the bureaus we work with in Germany.
Authorities and/or Companies that provide identity information and fraud prevention - Your personal data will be shared with companies and authorities that carry out identity verification and fraud prevention. Zaver transfers your name, address, date of birth and phone number to verify your identity and the accuracy of the data you have provided, as well as to combat fraud and crime. Zaver shares your information based on Zaver’s legitimate interest (article 6(1)(f) GDPR), as the fraud prevention agencies and the companies that offer identity verification have information on fraud activities and identity confirmations that are necessary for Zaver to be able to reduce the number of fraudulent transactions. We ensure that the related processing is necessary to pursue that interest and that our interest outweighs your right not to process your data for that purpose. The companies and authorities that we work with are listed below. These companies may process your data in accordance with their own privacy policies.
Credit information bureaus and companies that provide identity information and fraud prevention that we work with
Germany
SCHUFA Holding AG
Kormoranweg 565201
Wiesbaden, Germany
https://www.schufa.de/schufa-en/data-privacy/
Infoscore Consumer Data GmbH (Experian)
Rheinstr. 99
76532 Baden-Baden Germany
Detailed information in accordance with Art. 14 GDPR, i.e. information on the business purpose, on the purposes of data storage, on the data recipients, on the right to self-disclosure, on the right to deletion or correction, etc. can be found in the attachment or under the following Link:
https://www.experian.de/icd-infoblatt
finAPI GmbH
Adams-Lehmann-Straße 44
80797 München, Germany
Detailed information in accordance with Art. 14 GDPR, i.e. information on the business purpose, on the purposes of data storage, on the data recipients, on the right to self-disclosure, on the right to deletion or correction, etc. can be found in the attachment or under the following Link:
https://www.finapi.io/en/data-protection-policy/
Austria
finAPI GmbH
Adams-Lehmann-Straße 44
80797 München, Germany
Detailed information in accordance with Art. 14 GDPR, i.e. information on the business purpose, on the purposes of data storage, on the data recipients, on the right to self-disclosure, on the right to deletion or correction, etc. can be found in the attachment or under the following Link:
https://www.finapi.io/en/data-protection-policy/
Experian Austria GmbH
Gumpendorfer Straße 21,
1060 Vienna, Austria
Detailed information pursuant to Article 14 GDPR, i.e. information on the business purpose, the purposes of data storage, the data recipients, the right to self-disclosure, the right to erasure or rectification, etc. can be found on their website at the following link: https://credify.at/datenschutz
https://www.experian.at/art-14-dsgvo-info
Sweden
We work with the following companies for identity check:
SPAR (Statens personadressregister), https://www.statenspersonadressregister.se/master/start/dina-personuppgifter
Roaring Group AB
Svärdvägen 7
182 33 Danderyd
https://www.roaring.io/sv/personuppgiftspolicy/
We work with the following companies in order to obtain a credit lookup:
Dun & Bradstreet Credit ABRosenborgsgatan 4-6
169 93 Solna
https://www.dnb.com/sv-se/dataskydd.html
UC AB
117 88 Stockholm
https://www.uc.se/upplysningskopian/
Norway
We work with the following companies in order to obtain a credit lookup:
Gjeldsregisteret AS
Snarøyveien 30 A
1360 Fornebu, Norway
The debt information is provided by Gjeldsregisteret AS. An overview of financial institutions that provide debt information to Gjeldsregisteret AS can be found at gjeldsregisteret.com.
8. Retention
We will not hold your personal data for longer than is necessary. We retain your personal data for as long as we need it for the purposes described in this policy, or to comply with our obligations under applicable law. Personal data that we are under a legal obligation to retain, for example under anti-money laundering laws or bookkeeping laws, is generally retained for 5 and 7 years respectively. Since we are under a legal obligation to retain your information, we cannot delete your data upon your request. If we have a legal obligation to retain your personal data, this does not entail that we are permitted to process your personal data for any other purpose. For instance, some information such as your contact information will be processed for several purposes and may for some purposes be processed only for a very short period but for other purposes for longer periods of time. The personal data that we do not need to keep for the purpose it was collected will be deleted. Zaver makes an assessment for each specific purpose of how long we may use your personal data.
Personal data used for the contractual relationship between you and us is generally stored for the duration of the contractual relationship and thereafter for a period of up to 3 - 10 years, depending on the applicable statutes of limitations for the contractual relationship. In Germany the applicable statute of limitation is 3 years and in Sweden the applicable statute of limitation is 10 years.
9. How we use cookies and other tracking technology
Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. When you visit our websites, use our app, use our service or visit a third party’s website Zaver and our partners may collect information from you automatically through cookies or similar technology.
We use cookies in a range of ways to improve your experience, including but not limited to:
- Keeping you signed in
- Fill out forms
- Customising your experience
- Ensure the safety and stability of our services
- Monitor the use and performance of our services
- Advertising purposes
Some aspects and functions of our services are only available through the use of cookies. If you choose to disable or reject the use of cookies, the available services may be limited or you may not be able to use the services at all. You can read more about cookies in our cookie policy here.
10. Complaints
We work hard to make sure you feel safe regarding Zaver’s processing of your personal data. If you have any complaints in connection with our processing of your personal data you can contact us. You can also file a complaint with the Swedish Authority for Privacy Protection or with a supervisory authority in the Member State where you are living, working or where the suspected infringement has taken place.
11. Information about the processing of personal data for the merchant’s and their representatives/beneficial owner(s)
If you are a merchant with whom Zaver has an agreement with regarding the use of Zaver’s services, Zaver may process personal data such as information about the merchant’s representatives, board of directors and other key personnel (“Representatives”). Zaver may also process data relating to other employees of the merchant (“Merchant Employees”). We may also process data about representatives for direct and indirect owners of the merchant (i.e. companies within the same group as the merchant) (“Indirect Representatives”) and information about the merchant’s shareholders and beneficial owners (“Beneficial Owners”).
In addition to the categories of data listed in section 3 of this privacy policy, we may process the following categories of data:
Information about repute - such as e.g. whether the relevant individual have been a representative of a legal entity that has gone bankrupt or an entity that has been subject to sanctions from a supervisory authority
Company of employment and job title - Information on which merchant (or potential merchant) the individual is representing, job title, including any contact details.
Ownership details - Details about the relevant individuals ownership (shareholding) in the merchant and/or an indirect owner of the merchant
Information about your contacts with Zaver’s representatives - Chat conversations, email correspondence. If the relevant individual has contacted our customer service, recorded phone calls.
The personal data may be transferred to the third parties specified in this privacy policy. However, the above listed additional categories of data (Information about repute, Company of employment and job title, Ownership details, Information about your contacts with Zaver’s representatives) may only be transferred to the the following categories of recipients:
- Suppliers and subcontractors;
- Authorities; and
- Banks, payment service providers, financial institutions and account information service providers.
The rights that apply to customers' personal data processing in this policy also apply to personal data that is processed about Representatives, Merchant Employees, Indirect Representatives and Beneficial Owners of our existing and potential merchants.
- Contact and identification data.
- Company of employment and job title.
- Information about your contacts with Zaver’s representatives.
- Legitimate interest. The processing is also based on a balancing of interests (article 6(1)(f) GDPR). When balancing interests, Zaver has concluded that we have a legitimate interest in contacting potential merchants in order to acquire new business in the course of carrying out our business. We ensure that the particular processing this entails is necessary to achieve the purpose in question, and that our interest outweighs your right not to have your data processed for this purpose. You may contact us for more information about the balancing test and our conclusion.
- Contact and identification data.
- Company of employment and job title.
- Information about your contacts with Zaver’s representatives
- To execute and perform Zaver’s agreement with the merchant (article 6(1)(b) GDPR).
- If sensitive personal data or information collected through cookies are processed, our processing of such data is based on your consent (article 9(2) (a) GDPR).
- Contact and identification data.
- Information about electronic identification and electronic signatures (applicable to Swedish citizens/residents only.
- Legal obligation (article 6(1)(c) GDPR), to establish your identity pursuant to the Swedish Law (2017:630) on measures against money laundering and terrorist financing.
- To execute and perform Zaver’s agreement with the merchant (article 6(1)(b) GDPR).
- Contact and identification data.
- Company of employment and job title.
- Information about repute.
- Legitimate interest. The processing is also based on a balancing of interests (article 6(1)(f) GDPR). When balancing interests, Zaver has concluded that we have a legitimate interest in performing credit risk assessments. We ensure that the particular processing this entails is necessary to achieve the purpose in question, and that our interest outweighs your right not to have your data processed for this purpose. You may contact us for more information about the balancing test and our conclusion.
- If we process sensitive personal data, the legal basis for our processing is that you have given your consent (article 9(2) (a) GDPR)
- Contact and identification data.
- Company of employment and job title.
- Information regarding PEP and sanctions.
- Sensitive personal data and criminal offences.
- Information about your financial standing.
- Information about electronic identification and electronic signatures (applicable to Swedish citizens/residents only).
- Information about repute.
- Ownership details.
- Legal obligation (article 6(1)(c) GDPR), to establish the identity of our customers, perform risk assessments and monitor transactions pursuant to the Swedish Law (2017:630) on measures against money laundering and terrorist financing) and applicable sanctions laws.
- To execute and perform Zaver’s agreement with the merchant (article 6(1)(b) GDPR).
- f we process sensitive personal data, the legal basis for our processing is that you have given your consent (article 9(2) (a) GDPR) or that the processing is necessary in order to comply with the Swedish Law (2017:630) on measures against money laundering and terrorist financing and/or the sanctions laws (artikel 9(2)(g) GDPR).
- Legitimate interest. The processing is also based on a balancing of interests (article 6(1)(f) GDPR). When balancing interests, Zaver has concluded that we have a legitimate interest in performing risk assessments and creating risk models in order to prevent Zaver's services from being used in connection with criminal activity. We ensure that the particular processing this entails is necessary to achieve the purpose in question, and that our interest outweighs your right not to have your data processed for this purpose. You may contact us for more information about the balancing test and our conclusion.
- All categories of data may be processed.
- To execute and perform Zaver’s agreement with the merchant (article 6(1)(b) GDPR).
- Legitimate interest. The processing is based on a balancing of interests (article 6(1)(f) GDPR). When balancing interests, Zaver has concluded that we have a legitimate interest in being able to protect ourselves from legal claims and safeguard our rights, that the processing is necessary to realise that purpose, and that our interest outweighs your right not to have your data processed for this purpose. You may contact us for more information about the balancing test and our conclusion.
- If we process sensitive personal data, the legal basis for our processing is that you have given your consent (article 9(2) (a) GDPR) or that the processing is necessary in order to comply with the Swedish Law (2017:630) on measures against money laundering and terrorist financing and/or the sanctions laws (article 9(2) (g) GDPR). If we process data collected through cookies, the legal basis is also your consent (artikel 6(1) (a) GDPR).
- Contact and identification data.
- Technical information about your use of Zaver’s services and device information.
- Legitimate interest. The processing is based on a balancing of interests (article 6(1)(f) GDPR). When balancing interests, Zaver has concluded that we have a legitimate interest in being able to ensure network and information security, that the processing is necessary to realise that purpose, and that our interest outweighs your right not to have your data processed for this purpose. It is also in your interest as a customer that we ensure a high level of network and information security. You may contact us for more information about the balancing test and our conclusion.
- Your consent (article 9(2) (a) GDPR). The data Zaver processes for the purpose of maintaining a high level of security and safety can also be used in combination with other data collected through your consent (through cookies), in the form of aggregated information about the user, such as IP address.
- Contact and identity data.
- Company of employment and job title
- Legitimate interest. The processing is based on a balancing of interests (article 6(1)(f) GDPR). When balancing interests, Zaver has concluded that we have a legitimate interest in providing you with offers and other marketing, that the processing is necessary to realise that purpose, and that our interest outweighs your right not to have your data processed for this purpose. You may contact us for more information about the balancing test and our conclusion.
- Contact and identity data.
- Company of employment and job title.
- Legitimate interest. The processing is based on a balancing of interests (article 6(1)(f) GDPR). When balancing interests, Zaver has concluded that we have a legitimate interest in producing statistical and business reports in the course of carrying out our business, that the processing is necessary to realise that purpose, and that our interest outweighs your right not to have your data processed for this purpose. You may contact us for more information about the balancing test and our conclusion.
- Contact and identity data.
- Company of employment and job title
- Legal obligation (article 6(1)(c) GDPR), pursuant to the Swedish Accounting Act (1999:1078) and other applicable law for payment institutions (including GDPR).
- All categories of data may be processed.
- Varies depending on the recipient, see clause 7 and 11 of this policy.
12. Applications
If you apply for a job with us we will process your personal data. The purpose of the data collection is the selection of applicants for the possible establishment of an employment relationship. In order to receive and process your application, we normally collect the following data: first and last name, e-mail address, telephone number, application documents (e.g. certificates, curriculum vitae, cover letter), date of the earliest possible job start, salary expectations, qualifications, employment history and references.
The legal basis for the processing of your application documents is Zaver’s legitimate interest (article 6(1)(f) GDPR) to find and employ suitable candidates for open positions at Zaver. When we process data based on our legitimate interest, we have concluded that the processing is necessary to pursue that interest, and that our interest outweighs your right not to have your information processed for this purpose. We may also process your personal data to execute and perform the agreement with you (article 6(1)(b) GDPR) or on the basis of your consent (article 9(2) (a) GDPR). If we process sensitive personal data, the legal basis for our processing is that you have given your consent (article 9(2) (a) GDPR) or legal obligation (article 6(1)(c) GDPR) to perform a fit and proper assessment pursuant to the Swedish Law (2017:630) on measures against money laundering and terrorist financing.
If you apply for vacancies through Teamtailor or Linkedin, the data will be transferred to these third parties and processed in accordance with their respective data policies.